CISA Flags Actively Exploited Vulnerabilities in SolarWinds Web Help Desk and Major Platforms
CISA added multiple vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, triggering mandatory remediation timelines for U.S. federal civilian agencies. The newly listed issues include an actively exploited flaw in SolarWinds Web Help Desk (CVE-2025-40536) with an accelerated patch deadline, alongside additional KEV additions affecting Apple platforms (iOS, macOS, tvOS, watchOS, visionOS), Microsoft products, and Notepad++. Apple stated it was aware of reports the issue “may have been exploited in an extremely sophisticated attack against specific targeted individuals,” with Google Threat Analysis Group credited with discovery, underscoring continued targeting of high-value users via mobile/endpoint zero-days.
Separate reporting highlighted the broader operational context driving these directives: Microsoft’s February security update addressed 59 vulnerabilities, including six zero-days under active exploitation, reinforcing that exploit timelines are compressing and patching is increasingly a “defense sprint.” In parallel, CISA also moved to reduce systemic exposure at the perimeter by ordering agencies to remove unsupported network edge devices (e.g., firewalls/routers) within a year, reflecting concern that end-of-support infrastructure and rapidly weaponized vulnerabilities are converging into a persistent, high-impact federal risk.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
CISA sets an accelerated deadline for SolarWinds Web Help Desk remediation
Alongside the broader KEV update, CISA imposed the most urgent patching timeline on SolarWinds Web Help Desk flaw CVE-2025-40536, requiring federal agencies to address it within days. The order followed an earlier rapid patch deadline for a related Web Help Desk issue.
CISA orders agencies to patch newly added exploited vulnerabilities
CISA added 10 newly identified exploited vulnerabilities to its Known Exploited Vulnerabilities catalog and directed U.S. federal civilian agencies to remediate them by early March 2026. The list included CVE-2025-40536 in SolarWinds Web Help Desk, Apple CVE-2026-20700, six Microsoft flaws, and a Notepad++ vulnerability.
Active exploitation of SolarWinds Web Help Desk flaws is reported
By early February, security reporting highlighted that January-disclosed zero-day vulnerabilities affecting SolarWinds Web Help Desk were being actively exploited in the wild. This established the flaws as an ongoing threat rather than a purely theoretical issue.
SolarWinds releases patches for Web Help Desk zero-day CVE-2025-40536
SolarWinds issued fixes for the actively exploited SolarWinds Web Help Desk vulnerability CVE-2025-40536. Reporting says the patches were released on January 28, 2026.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
News brief: 6 Microsoft zero days and a warning from CISA | TechTarget
techtarget.com
Open sourceCISA orders federal agencies to patch exploited SolarWinds, Apple, Microsoft bugs within weeks | The Record from Recorded Future News
therecord.media
Open sourceThe hard part of purple teaming starts after detection | CSO Online
csoonline.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
CISA Expands KEV Catalog With Broad Wave of Actively Exploited Enterprise Flaws
CISA repeatedly expanded its **Known Exploited Vulnerabilities (KEV) Catalog** after confirming active exploitation across a wide range of products, including Apple platforms, Ivanti EPM and EPMM, SolarWinds Web Help Desk, Omnissa Workspace ONE, n8n, Google Chromium and Skia, Wing FTP Server, Zimbra, Cisco firewall management products, Langflow, Aqua Security Trivy, F5 BIG-IP, Fortinet FortiClient EMS, Microsoft Exchange, SharePoint, Windows, Defender, Adobe Acrobat/Reader, Apache ActiveMQ, Trend Micro Apex One, Palo Alto PAN-OS, and other enterprise software. Several entries were especially notable because they involved **remote code execution, code injection, deserialization, authentication bypass, privilege escalation, and supply-chain-style malicious code risks**, while CISA also highlighted active exploitation of older legacy Microsoft and Adobe flaws that remain dangerous on unpatched or end-of-life systems. Reporting tied some of the newly listed issues to concrete attack activity and elevated operational risk. Apple flaws added to KEV were reported as exploitable through malicious web content or apps and could lead to arbitrary code execution or kernel-level execution, while the critical Langflow bug `CVE-2025-34291` was described as enabling session hijacking, token theft, persistence, and possible full system compromise in AI workflow deployments; separate reporting said the Iranian threat actor **MuddyWater** used it for initial access. Trend Micro said it observed at least one attempted in-the-wild exploitation of its Apex One flaw, and coverage of Ivanti vulnerabilities warned that defenders should not rely solely on shared indicators of compromise. Under **Binding Operational Directive 22-01**, Federal Civilian Executive Branch agencies were ordered to remediate each KEV-listed flaw by assigned deadlines, and CISA urged all organizations to apply vendor fixes or mitigations immediately and discontinue affected products if no mitigation is available.
Jun 16, 2026
CISA Adds Apple WebKit and Gladinet CentreStack Vulnerabilities to KEV Catalog
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two actively exploited vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog: CVE-2025-43529, a use-after-free vulnerability in Apple’s WebKit engine affecting multiple Apple products, and CVE-2025-14611, a hard-coded cryptographic vulnerability in Gladinet CentreStack and Triofox. These vulnerabilities have been identified as significant risks due to evidence of active exploitation, prompting CISA to require Federal Civilian Executive Branch agencies to remediate them by specified deadlines under Binding Operational Directive 22-01. CISA also strongly encourages all organizations, not just federal agencies, to prioritize remediation of these vulnerabilities to reduce exposure to cyberattacks. Recent reports indicate that the Apple WebKit vulnerability (CVE-2025-43529) has been exploited in highly targeted attacks, likely involving nation-state actors and commercial spyware vendors, with a focus on high-value individuals. Apple and Google both released urgent security updates in response to these attacks, though details remain limited. The WebKit flaw allows attackers to trigger memory corruption through specially crafted web content, potentially leading to arbitrary code execution. The Gladinet CentreStack and Triofox vulnerability involves hard-coded cryptographic keys, which could be leveraged by attackers to compromise affected systems. Organizations are urged to apply available patches and follow CISA’s guidance to mitigate these threats.
Mar 21, 2026
CISA Flags Actively Exploited Microsoft Configuration Manager RCE (CVE-2024-43468)
The U.S. Cybersecurity and Infrastructure Security Agency (**CISA**) added **CVE-2024-43468** to its Known Exploited Vulnerabilities (KEV) catalog after determining the flaw is being **actively exploited in the wild**. The vulnerability is a **critical (CVSS 9.8) SQL injection** in *Microsoft Configuration Manager* (ConfigMgr/SCCM) that can allow an **unauthenticated remote attacker** to achieve **remote code execution** by sending specially crafted requests, enabling command execution on the ConfigMgr server and/or its underlying site database with **high/`SYSTEM`-level impact**. CISA set a remediation deadline of **March 5** for U.S. Federal Civilian Executive Branch agencies under its Binding Operational Directive requirements; public reporting noted Microsoft’s advisory had previously assessed exploitation as “less likely,” and Microsoft had not (as of reporting) publicly detailed the threat actors or scope of exploitation. The issue was originally patched by Microsoft in **October 2024** after being reported by **Synacktiv**, and proof-of-concept exploit code was later published (including by Synacktiv), lowering the barrier to weaponization. Separate CISA KEV updates the same week also drove patching urgency across other widely deployed products (including **SolarWinds Web Help Desk** and multiple **Apple** platforms for a reportedly “extremely sophisticated” targeted attack), reinforcing that organizations should treat KEV additions as a high-confidence signal to accelerate patching and exposure reduction—particularly for internet-reachable management tooling like ConfigMgr that can provide broad administrative control if compromised.
Mar 21, 2026